Clandestiny
August 10th, 2002, 01:42
Hiya,
I just installed SoftICE Driver Studio 2.6 on my Win2K PC and it works great excepting one mysterious problem... I seem to be getting a fatal BSOD whenever I attempt to restart my PC from within Win2k. It reports the following error:
***STOP: 0x0000000A(0x00000020, 0x000000FF, 0x00000001, 0x80069128) IRQL_NOT_LESS_OR_EQUAL
*** Address 80069128 base at 80062000, Date Stamp 3C989E09 - hal.dll
Interestingly, the error is only generated on a "restart", NOT on a "shut down". I can shut down windows with no problems whatsoever. Likewise, an "hboot" command issued from within winice restarts my PC without any problems either. Having previously run Win98 as my reversing OS, I lack familiarity with Win2k but I have done some preliminary research with the limited information provided to me... Apparently, the error I am recieving generally corresponds to an invalid memory access and a description of the error follows below:
_______________________________________________
One of the more frequent trap codes generated by Windows NT is STOP
0x0000000A. This STOP message can be caused by both hardware and software
problems. To determine the specific cause, you must debug the STOP.
However, some general information can be learned by examining the
parameters of the STOP message and the STOP screen information.
MORE INFORMATION
================
STOP 0x0000000A indicates a kernel mode process or driver attempted to
access a memory address that it did not have permission to access. The most
common cause of this error is a bad or corrupt pointer that references an
incorrect location in memory. A pointer is a variable used by a program to
refer to a block of memory. If the variable has a bad value in it, then the
program tries to access memory that it should not. When this occurs in a
user mode application, it generates an access violation. When it occurs in
kernel mode, it generates a STOP 0x0000000A message.
To determine what process or driver tried to access memory it should not,
look at the parameters displayed on the STOP screen information. For
example, in the following STOP message
STOP 0x0000000A(0xWWWWWWWW, 0xXXXXXXXX, 0xYYYYYYYY, 0xZZZZZZZZ)
IRQL_NOT_LESS_OR_EQUAL
** Address 0xZZZZZZZZ has base at <address>- <driver>
The four parameters inside the parenthesis have the following meaning:
0xWWWWWWWW Address that was referenced improperly
0xXXXXXXXX IRQL that was required to access the memory
0xYYYYYYYY Type of access, 0=Read, 1=Write
0xZZZZZZZZ Address of instruction which attempted to reference
the memory at 0xWWWWWWWW
If the last parameter (0xZZZZZZZZ) falls within the address range of
one of the device drivers loaded on the system, you will know which
device driver was running when the memory access occurred. This driver is
often identified in the third line of the STOP screen:
**Address 0xZZZZZZZZ has base at <address>- <driver name>
_______________________________________________
From this description I can conclude...
Improperly referenced address: 0x00000020
Access Type: write
Instruction that atttempted memory reference: 80069128... A disassembly of this address in winice informs me that the fault occured in the HalSetTimeIncrement function.
Research into the apparently undocumented HalSetTimeIncrement function reveals the following:
_______________________________________________
"In hal.dll there is a Funktion named "ULONG HalSetTimeIncrement( IN
ULONG Increment);". It accepts the requested resolution whith a base
of 100 ns. (It is undockumented) And it returns the real resolution.
But try it... It is not dangerous, but you will not get the expected
results."
_______________________________________________
I attempted to set a breakpoint on the faulting address in SI, but it locks my *entire* system up, even beyond BSOD lockup and I must cut the power to recover. I currently have SI set to load in "automatic" mode. Maybe I need to set it to "boot" mode to trace this type of error??? I have also researched the problem on google, microsoft knowledge base, and numega's site without success. I did find one reference to the error here on the mb(http://www.woodmann.net/forum/showthread.php?s=&threadid=3135&highlight=hal.dll), but it lacked response.
Has anyone else experienced this error??? I would be immensely grateful if someone could point me in the right direction on this one. Hehe, I'm not too confident in my ability to single handedly debug the Win2K kernel
Here are my system specs if required:
SoftICE version: Driver Studio 2.6
OS: Windoze 2000 Professional
Processor: AMD Athlon XP 2200
Memory: 512 MB
Video Card: GForce 4
Audio: Sound Blaster Live 5.1
Chipset: VIA KT333
Thanks In Advance,
Clandestiny
I just installed SoftICE Driver Studio 2.6 on my Win2K PC and it works great excepting one mysterious problem... I seem to be getting a fatal BSOD whenever I attempt to restart my PC from within Win2k. It reports the following error:
***STOP: 0x0000000A(0x00000020, 0x000000FF, 0x00000001, 0x80069128) IRQL_NOT_LESS_OR_EQUAL
*** Address 80069128 base at 80062000, Date Stamp 3C989E09 - hal.dll
Interestingly, the error is only generated on a "restart", NOT on a "shut down". I can shut down windows with no problems whatsoever. Likewise, an "hboot" command issued from within winice restarts my PC without any problems either. Having previously run Win98 as my reversing OS, I lack familiarity with Win2k but I have done some preliminary research with the limited information provided to me... Apparently, the error I am recieving generally corresponds to an invalid memory access and a description of the error follows below:
_______________________________________________
One of the more frequent trap codes generated by Windows NT is STOP
0x0000000A. This STOP message can be caused by both hardware and software
problems. To determine the specific cause, you must debug the STOP.
However, some general information can be learned by examining the
parameters of the STOP message and the STOP screen information.
MORE INFORMATION
================
STOP 0x0000000A indicates a kernel mode process or driver attempted to
access a memory address that it did not have permission to access. The most
common cause of this error is a bad or corrupt pointer that references an
incorrect location in memory. A pointer is a variable used by a program to
refer to a block of memory. If the variable has a bad value in it, then the
program tries to access memory that it should not. When this occurs in a
user mode application, it generates an access violation. When it occurs in
kernel mode, it generates a STOP 0x0000000A message.
To determine what process or driver tried to access memory it should not,
look at the parameters displayed on the STOP screen information. For
example, in the following STOP message
STOP 0x0000000A(0xWWWWWWWW, 0xXXXXXXXX, 0xYYYYYYYY, 0xZZZZZZZZ)
IRQL_NOT_LESS_OR_EQUAL
** Address 0xZZZZZZZZ has base at <address>- <driver>
The four parameters inside the parenthesis have the following meaning:
0xWWWWWWWW Address that was referenced improperly
0xXXXXXXXX IRQL that was required to access the memory
0xYYYYYYYY Type of access, 0=Read, 1=Write
0xZZZZZZZZ Address of instruction which attempted to reference
the memory at 0xWWWWWWWW
If the last parameter (0xZZZZZZZZ) falls within the address range of
one of the device drivers loaded on the system, you will know which
device driver was running when the memory access occurred. This driver is
often identified in the third line of the STOP screen:
**Address 0xZZZZZZZZ has base at <address>- <driver name>
_______________________________________________
From this description I can conclude...
Improperly referenced address: 0x00000020
Access Type: write
Instruction that atttempted memory reference: 80069128... A disassembly of this address in winice informs me that the fault occured in the HalSetTimeIncrement function.
Research into the apparently undocumented HalSetTimeIncrement function reveals the following:
_______________________________________________
"In hal.dll there is a Funktion named "ULONG HalSetTimeIncrement( IN
ULONG Increment);". It accepts the requested resolution whith a base
of 100 ns. (It is undockumented) And it returns the real resolution.
But try it... It is not dangerous, but you will not get the expected
results."
_______________________________________________
I attempted to set a breakpoint on the faulting address in SI, but it locks my *entire* system up, even beyond BSOD lockup and I must cut the power to recover. I currently have SI set to load in "automatic" mode. Maybe I need to set it to "boot" mode to trace this type of error??? I have also researched the problem on google, microsoft knowledge base, and numega's site without success. I did find one reference to the error here on the mb(http://www.woodmann.net/forum/showthread.php?s=&threadid=3135&highlight=hal.dll), but it lacked response.
Has anyone else experienced this error??? I would be immensely grateful if someone could point me in the right direction on this one. Hehe, I'm not too confident in my ability to single handedly debug the Win2K kernel
Here are my system specs if required:
SoftICE version: Driver Studio 2.6
OS: Windoze 2000 Professional
Processor: AMD Athlon XP 2200
Memory: 512 MB
Video Card: GForce 4
Audio: Sound Blaster Live 5.1
Chipset: VIA KT333
Thanks In Advance,
Clandestiny
